Is there any special configuration for enabling Kerberos authentication
in Firefox? Normally one would simply set the Kerberos whitelist for
using "about:config":
network.negotiate-auth.trusted-uris = "my.domain,"
My impression is that the implementation in Firefox is broken. Here is
what I tried:
1. Enable firefox debug
$ export NSPR_LOG_MODULES=negotiateauth:5
$ export NSPR_LOG_FILE=/tmp/moz.log
$ ktrace firefox
2. Log shows that gssapi failed to load
$ cat /tmp/moz.log
750271712[89789780]: service = inout.deshaw.com
750271712[89789780]: using negotiate-gss
750271712[89789780]: entering nsAuthGSSAPI::nsAuthGSSAPI()
750271712[89789780]: Fail to load gssapi library
750271712[89789780]: entering nsAuthGSSAPI::Init()
3. ktrace confirms the attempt to load libgssapi.so (5.4-release)
$ kdump | grep -B1 -A1 gss
...
20139 firefox CALL open(0x214383e0,0<O_RDONLY>)
20139 firefox NAMI "/usr/lib/libgssapi.so.6.0"
20139 firefox RET open 51/0x33
--
20139 firefox GIO fd 2 wrote 74 bytes
"firefox:/usr/lib/libgssapi.so.6.0: undefined symbol
'krb5_cc_type_memory'
"
Using firefox-25.0 from 5.4-current (Nov 13 snapshot) I see this:
30981 firefox CALL open(0x229e43e0,0<O_RDONLY>)
30981 firefox NAMI "/usr/lib/libgssapi.so.7.1"
30981 firefox RET open 53/0x35
--
30981 firefox GIO fd 2 wrote 74 bytes
"firefox:/usr/lib/libgssapi.so.7.1: undefined symbol
'krb5_cc_type_memory'
4. This symbol is definitely visible
$ nm /usr/lib/libgssapi.so.7.1 | grep krb5_cc_type_memory
U krb5_cc_type_memory
Even without this functionality it's wonderful to see firefox-25.0 in
-current!
--
Eric Radman | http://eradman.com
